observability team mailing list archive

[Cristovao Cordeiro <cristovao.cordeiro@xxxxxxxxxxxxx>]

Sounds good to me. @Emilia Torino <emilia.torino@xxxxxxxxxxxxx> do you need
those repos to exist in Docker Hub before you can onboard these?

On Fri, Jun 9, 2023 at 10:42 AM Luca Bello <luca.bello@xxxxxxxxxxxxx> wrote:

> Hello everyone,
>
> as mentioned before, the ROCKs we have are all based on upstream projects;
> the list is the following, as required:
>
> * Alertmanager (https://github.com/prometheus/alertmanager)
> * Grafana Agent (https://github.com/grafana/agent)
> * Grafana (https://github.com/grafana/grafana)
> * Loki (https://github.com/grafana/loki)
> * Mimir (https://github.com/grafana/mimir)
> * SeaweedFS (https://github.com/seaweedfs/seaweedfs)
> * Traefik (https://github.com/traefik/traefik)
>
> Please let me know if any of these qualifies!
>
>
> Cheers,
>
> Luca
> On 31/05/2023 18:29, Cristovao Cordeiro wrote:
>
> So the only change from our side will be to add
>> prometheus to the email notification subject (or I guess we can just
>> simple replace it with "CVEs potentially affecting upstream based
>> ROCKs"). Are the email recipients the same ones for the other ones?
>
>
> I think that would be fine for now. I'm reluctant to use the mailing list
> as a catch-all, but I think we can re-design this once there is an event
> bus at Canonical, so we rely less on emails.
>
> As for the other 10 ROCKs, @Luca Bello <luca.bello@xxxxxxxxxxxxx> let's
> first do the right due diligence on those, cause if a ROCK is not meant to
> be under the "ubuntu" namespace, then this security monitoring doesn't need
> to apply.
>
> On Wed, May 31, 2023 at 3:58 PM Emilia Torino <emilia.torino@xxxxxxxxxxxxx>
> wrote:
>
>>
>> Hi all,
>>
>> On 31/5/23 04:03, Luca Bello wrote:
>> > Hi everyone,
>> >
>> > as said in the thread already, the prometheus image is indeed a ROCK
>> > based on the *prometheus/prometheus* repository.
>>
>> That's very convenient. But just to be clear again, we are not
>> "inspecting" the upstream based rocks the same way we do for the deb
>> based ones. We are only monitoring new CVEs created for prometheus,
>> protobuf and consul. So the only change from our side will be to add
>> prometheus to the email notification subject (or I guess we can just
>> simple replace it with "CVEs potentially affecting upstream based
>> ROCKs"). Are the email recipients the same ones for the other ones?
>>
>> >
>> > We're in the process of updating all of our ROCKs in a similar way,
>> > meaning we want to make sure we are complying with any guidelines you
>> > might have on them.
>> > We have about 10 ROCKs at the moment, mostly based on upstream projects
>> > just like this one. Should I share the full list, so you can track them?
>>
>> I am happy to do an analysis of this list to see if we can add more. The
>> short answer would be that if the software is packaged as a deb in main
>> or universe (which is the situation for prometheus, protobuf and consul)
>> then we can simply add them. This is because the service is based on the
>> existing CVE triage work the security team does, which is mainly for
>> debs (although now is being extended to other ecosystems because of SOSS
>> but it is still limited and mainly supporting NVIDIA software).
>>
>> A simple improvement though could be to map the projects to the rocks so
>> you dont get a general notification, but one per ROCK as the USNs/debs
>> based service does. We can work on adding this for the next cycle.
>>
>> >
>> >
>> > Cheers,
>> >
>> > Luca
>> >
>> >
>> > On 31/05/2023 08:12, Cristovao Cordeiro wrote:
>> >> Thank you for the swift action, Emilia!
>> >>
>> >> > Does this
>> >> > relate to a question being asked some hours ago in
>> >> > ~Security
>> >> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo?
>> >>
>> >> Yes, precisely. @Luca Bello <mailto:luca.bello@xxxxxxxxxxxxx> is in
>> >> the process of updating that image and we're re-doing our due
>> diligence.
>> >> Luca can confirm, but this seems to be a ROCK based precisely on that
>> >> upstream Prometheus repository that you are already monitoring
>> >> (
>> https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19
>> ).
>> >>
>> >> Can we then add this image to your list of tracked ROCKs?
>> >>
>> >>
>> >> On Tue, May 30, 2023 at 9:45 PM Emilia Torino
>> >> <emilia.torino@xxxxxxxxxxxxx> wrote:
>> >>
>> >>     Hey all,
>> >>
>> >>     On 30/5/23 13:14, Emilia Torino wrote:
>> >>     > Hi Cristovao,
>> >>     >
>> >>     > On 30/5/23 09:41, Cristovao Cordeiro wrote:
>> >>     >> Hi Emilia,
>> >>     >>
>> >>     >> could you please confirm the `prometheus` container image is
>> being
>> >>     >> monitored?
>> >>     >
>> >>     > I don't see prometheus being monitored by our services (not as a
>> >>     rock
>> >>     > based on upstream source code nor as a rock based on debs). Does
>> >>     this
>> >>     > relate to a question being asked some hours ago in
>> >>     > ~Security
>> >>     https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo
>> ?
>> >>     >
>> >>     >
>> >>     > These emails' subject only mentions cortex and telegraf, but
>> >>     >> I can see "https://github.com/prometheus/prometheus
>> >>     >> <https://github.com/prometheus/prometheus>" in the body of the
>> >>     email.
>> >>     >
>> >>     > Apologize for the confusion, this sounds like a bug in the email
>> >>     content
>> >>     > generator code. I will take a look at it later.
>> >>
>> >>     I investigated this bug and it should be solved already. There was
>> an
>> >>     issue in the past, but we fixed it already. I thought it could be
>> >>     related but I see this notification you are asking is from March.
>> >>     If you
>> >>     check the last notification sent on Thu, May 4, 2:03 AM is
>> correctly
>> >>     reporting about a single package (cortex only).
>> >>
>> >>     Let me know if you have any further question.
>> >>
>> >>       In this case, only a new
>> >>     > CVE affecting consul has been created in our tracker
>> >>     >
>> >>
>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845.
>> >>     >
>> >>     > Still, this does not mean cortex and telegraf are affected,
>> >>     since this
>> >>     > needs triage (i.e. understand if the code/version present in the
>> >>     rocks
>> >>     > are indeed vulnerable).
>> >>     >
>> >>     > FYI the reason why https://github.com/prometheus/prometheus (and
>> >>     also
>> >>     > https://github.com/gogo/protobuf) are listed in this email, is
>> >>     because
>> >>     > these 3 are the *only* upstream projects we are monitoring
>> >>     (because of
>> >>     > the bug the 3 are incorrectly listed in the email, only consul
>> >>     should
>> >>     > be). In other words, we are not scanning every upstream source
>> >>     project
>> >>     > which is used to build cortex and telegraf.
>> >>     >
>> >>     > There are reasons why this service is very limited, and I hope
>> this
>> >>     > is/was clear. Let me know if you need more information.
>> >>     >
>> >>     > Emilia
>> >>     >
>> >>     >
>> >>     >>
>> >>     >> ---------- Forwarded message ---------
>> >>     >> From: <security-team-toolbox-bot@xxxxxxxxxxxxx
>> >>     >> <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>>
>> >>     >> Date: Sat, Mar 11, 2023 at 6:03 AM
>> >>     >> Subject: [Ubuntu-docker-images] CVEs potentially affecting
>> >>     cortex and
>> >>     >> telegraf
>> >>     >> To: <ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
>> >>     >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>,
>> >>     >> <sergio.durigan@xxxxxxxxxxxxx
>> >>     <mailto:sergio.durigan@xxxxxxxxxxxxx>>,
>> >>     >> <emilia.torino@xxxxxxxxxxxxx
>> >>     <mailto:emilia.torino@xxxxxxxxxxxxx>>,
>> >>     >> <alex.murray@xxxxxxxxxxxxx <mailto:alex.murray@xxxxxxxxxxxxx>>,
>> >>     >> <simon.aronsson@xxxxxxxxxxxxx
>> >>     <mailto:simon.aronsson@xxxxxxxxxxxxx>>,
>> >>     >> <dylan.stephano-shachter@xxxxxxxxxxxxx
>> >>     >> <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>>
>> >>     >>
>> >>     >>
>> >>     >> New CVEs affecting packages used to build upstream based rocks
>> >>     have been
>> >>     >> created in the Ubuntu CVE tracker:
>> >>     >>
>> >>     >> * https://github.com/gogo/protobuf
>> >>     <https://github.com/gogo/protobuf>:
>> >>     >> * https://github.com/hashicorp/consul
>> >>     >> <https://github.com/hashicorp/consul>: CVE-2023-0845
>> >>     >> * https://github.com/prometheus/prometheus
>> >>     >> <https://github.com/prometheus/prometheus>:
>> >>     >>
>> >>     >> Please review your rock to understand if it is affected by
>> >>     these CVEs.
>> >>     >>
>> >>     >> Thank you for your rock and for attending to this matter.
>> >>     >>
>> >>     >> References:
>> >>     >>
>> >>
>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845
>> >>     >>
>> >>     <
>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>
>> >>     >>
>> >>     >>
>> >>     >>
>> >>     >> --
>> >>     >> Mailing list: https://launchpad.net/~ubuntu-docker-images
>> >>     >> <https://launchpad.net/~ubuntu-docker-images>
>> >>     >> Post to     : ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
>> >>     >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
>> >>     >> Unsubscribe : https://launchpad.net/~ubuntu-docker-images
>> >>     >> <https://launchpad.net/~ubuntu-docker-images>
>> >>     >> More help   : https://help.launchpad.net/ListHelp
>> >>     >> <https://help.launchpad.net/ListHelp>
>> >>     >>
>> >>     >>
>> >>     >> --
>> >>     >> Cris
>> >>
>> >>
>> >>
>> >> --
>> >> Cris
>>
>
>
> --
> Cris
>
>

-- 
Cris